McAfee started rolling out Thursday a patch for its hosted anti-malware service, which a hacker could hijack to send spam from the IP address of a McAfee customer's computer.
The flaw was first reported Monday in the blog of the British art firm Kaamar Limited. McAfee confirmed the vulnerability in its SaaS for Total Protect product Wednesday. McAfee said it would take a couple of days to roll out the patch to all customers.
Total Protect is used to help prevent customers from downloading malware from malicious Web sites. McAfee said the vulnerability did not open up customers' computers to hackers. "It doesn't allow access to the user's computer, so no one's system has been compromised," a spokesman said.
The problem stemmed from a flaw in McAfee's "rumor" technology used in the vendor's system for distributing updates. The patch also fixed a vulnerability with an ActiveX control in the product. A hacker could exploit that flaw to execute code, McAfee said. A fix released last August for a similar problem effectively cut the exploitation path, so "customer data is not directly at risk."
